1 /* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12 #include <linux/jiffies.h> 13 #include <linux/kernel.h> 14 #include <linux/skbuff.h> 15 #include <linux/netdevice.h> 16 #include <linux/etherdevice.h> 17 #include <linux/rcupdate.h> 18 #include <net/mac80211.h> 19 #include <net/ieee80211_radiotap.h> 20 21 #include "ieee80211_i.h" 22 #include "led.h" 23 #include "mesh.h" 24 #include "wep.h" 25 #include "wpa.h" 26 #include "tkip.h" 27 #include "wme.h" 28 29 u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 30 struct tid_ampdu_rx *tid_agg_rx, 31 struct sk_buff *skb, u16 mpdu_seq_num, 32 int bar_req); 33 /* 34 * monitor mode reception 35 * 36 * This function cleans up the SKB, i.e. it removes all the stuff 37 * only useful for monitoring. 38 */ 39 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 40 struct sk_buff *skb, 41 int rtap_len) 42 { 43 skb_pull(skb, rtap_len); 44 45 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 46 if (likely(skb->len > FCS_LEN)) 47 skb_trim(skb, skb->len - FCS_LEN); 48 else { 49 /* driver bug */ 50 WARN_ON(1); 51 dev_kfree_skb(skb); 52 skb = NULL; 53 } 54 } 55 56 return skb; 57 } 58 59 static inline int should_drop_frame(struct ieee80211_rx_status *status, 60 struct sk_buff *skb, 61 int present_fcs_len, 62 int radiotap_len) 63 { 64 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 65 66 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 67 return 1; 68 if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len)) 69 return 1; 70 if (((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) == 71 cpu_to_le16(IEEE80211_FTYPE_CTL)) && 72 ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE)) != 73 cpu_to_le16(IEEE80211_STYPE_PSPOLL)) && 74 ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE)) != 75 cpu_to_le16(IEEE80211_STYPE_BACK_REQ))) 76 return 1; 77 return 0; 78 } 79 80 /* 81 * This function copies a received frame to all monitor interfaces and 82 * returns a cleaned-up SKB that no longer includes the FCS nor the 83 * radiotap header the driver might have added. 84 */ 85 static struct sk_buff * 86 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 87 struct ieee80211_rx_status *status, 88 struct ieee80211_rate *rate) 89 { 90 struct ieee80211_sub_if_data *sdata; 91 int needed_headroom = 0; 92 struct ieee80211_radiotap_header *rthdr; 93 __le64 *rttsft = NULL; 94 struct ieee80211_rtap_fixed_data { 95 u8 flags; 96 u8 rate; 97 __le16 chan_freq; 98 __le16 chan_flags; 99 u8 antsignal; 100 u8 padding_for_rxflags; 101 __le16 rx_flags; 102 } __attribute__ ((packed)) *rtfixed; 103 struct sk_buff *skb, *skb2; 104 struct net_device *prev_dev = NULL; 105 int present_fcs_len = 0; 106 int rtap_len = 0; 107 108 /* 109 * First, we may need to make a copy of the skb because 110 * (1) we need to modify it for radiotap (if not present), and 111 * (2) the other RX handlers will modify the skb we got. 112 * 113 * We don't need to, of course, if we aren't going to return 114 * the SKB because it has a bad FCS/PLCP checksum. 115 */ 116 if (status->flag & RX_FLAG_RADIOTAP) 117 rtap_len = ieee80211_get_radiotap_len(origskb->data); 118 else 119 /* room for radiotap header, always present fields and TSFT */ 120 needed_headroom = sizeof(*rthdr) + sizeof(*rtfixed) + 8; 121 122 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 123 present_fcs_len = FCS_LEN; 124 125 if (!local->monitors) { 126 if (should_drop_frame(status, origskb, present_fcs_len, 127 rtap_len)) { 128 dev_kfree_skb(origskb); 129 return NULL; 130 } 131 132 return remove_monitor_info(local, origskb, rtap_len); 133 } 134 135 if (should_drop_frame(status, origskb, present_fcs_len, rtap_len)) { 136 /* only need to expand headroom if necessary */ 137 skb = origskb; 138 origskb = NULL; 139 140 /* 141 * This shouldn't trigger often because most devices have an 142 * RX header they pull before we get here, and that should 143 * be big enough for our radiotap information. We should 144 * probably export the length to drivers so that we can have 145 * them allocate enough headroom to start with. 146 */ 147 if (skb_headroom(skb) < needed_headroom && 148 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 149 dev_kfree_skb(skb); 150 return NULL; 151 } 152 } else { 153 /* 154 * Need to make a copy and possibly remove radiotap header 155 * and FCS from the original. 156 */ 157 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 158 159 origskb = remove_monitor_info(local, origskb, rtap_len); 160 161 if (!skb) 162 return origskb; 163 } 164 165 /* if necessary, prepend radiotap information */ 166 if (!(status->flag & RX_FLAG_RADIOTAP)) { 167 rtfixed = (void *) skb_push(skb, sizeof(*rtfixed)); 168 rtap_len = sizeof(*rthdr) + sizeof(*rtfixed); 169 if (status->flag & RX_FLAG_TSFT) { 170 rttsft = (void *) skb_push(skb, sizeof(*rttsft)); 171 rtap_len += 8; 172 } 173 rthdr = (void *) skb_push(skb, sizeof(*rthdr)); 174 memset(rthdr, 0, sizeof(*rthdr)); 175 memset(rtfixed, 0, sizeof(*rtfixed)); 176 rthdr->it_present = 177 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 178 (1 << IEEE80211_RADIOTAP_RATE) | 179 (1 << IEEE80211_RADIOTAP_CHANNEL) | 180 (1 << IEEE80211_RADIOTAP_DB_ANTSIGNAL) | 181 (1 << IEEE80211_RADIOTAP_RX_FLAGS)); 182 rtfixed->flags = 0; 183 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 184 rtfixed->flags |= IEEE80211_RADIOTAP_F_FCS; 185 186 if (rttsft) { 187 *rttsft = cpu_to_le64(status->mactime); 188 rthdr->it_present |= 189 cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 190 } 191 192 /* FIXME: when radiotap gets a 'bad PLCP' flag use it here */ 193 rtfixed->rx_flags = 0; 194 if (status->flag & 195 (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 196 rtfixed->rx_flags |= 197 cpu_to_le16(IEEE80211_RADIOTAP_F_RX_BADFCS); 198 199 rtfixed->rate = rate->bitrate / 5; 200 201 rtfixed->chan_freq = cpu_to_le16(status->freq); 202 203 if (status->band == IEEE80211_BAND_5GHZ) 204 rtfixed->chan_flags = 205 cpu_to_le16(IEEE80211_CHAN_OFDM | 206 IEEE80211_CHAN_5GHZ); 207 else 208 rtfixed->chan_flags = 209 cpu_to_le16(IEEE80211_CHAN_DYN | 210 IEEE80211_CHAN_2GHZ); 211 212 rtfixed->antsignal = status->ssi; 213 rthdr->it_len = cpu_to_le16(rtap_len); 214 } 215 216 skb_reset_mac_header(skb); 217 skb->ip_summed = CHECKSUM_UNNECESSARY; 218 skb->pkt_type = PACKET_OTHERHOST; 219 skb->protocol = htons(ETH_P_802_2); 220 221 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 222 if (!netif_running(sdata->dev)) 223 continue; 224 225 if (sdata->vif.type != IEEE80211_IF_TYPE_MNTR) 226 continue; 227 228 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 229 continue; 230 231 if (prev_dev) { 232 skb2 = skb_clone(skb, GFP_ATOMIC); 233 if (skb2) { 234 skb2->dev = prev_dev; 235 netif_rx(skb2); 236 } 237 } 238 239 prev_dev = sdata->dev; 240 sdata->dev->stats.rx_packets++; 241 sdata->dev->stats.rx_bytes += skb->len; 242 } 243 244 if (prev_dev) { 245 skb->dev = prev_dev; 246 netif_rx(skb); 247 } else 248 dev_kfree_skb(skb); 249 250 return origskb; 251 } 252 253 254 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx) 255 { 256 u8 *data = rx->skb->data; 257 int tid; 258 259 /* does the frame have a qos control field? */ 260 if (WLAN_FC_IS_QOS_DATA(rx->fc)) { 261 u8 *qc = data + ieee80211_get_hdrlen(rx->fc) - QOS_CONTROL_LEN; 262 /* frame has qos control */ 263 tid = qc[0] & QOS_CONTROL_TID_MASK; 264 if (qc[0] & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT) 265 rx->flags |= IEEE80211_RX_AMSDU; 266 else 267 rx->flags &= ~IEEE80211_RX_AMSDU; 268 } else { 269 if (unlikely((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)) { 270 /* Separate TID for management frames */ 271 tid = NUM_RX_DATA_QUEUES - 1; 272 } else { 273 /* no qos control present */ 274 tid = 0; /* 802.1d - Best Effort */ 275 } 276 } 277 278 I802_DEBUG_INC(rx->local->wme_rx_queue[tid]); 279 /* only a debug counter, sta might not be assigned properly yet */ 280 if (rx->sta) 281 I802_DEBUG_INC(rx->sta->wme_rx_queue[tid]); 282 283 rx->queue = tid; 284 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 285 * For now, set skb->priority to 0 for other cases. */ 286 rx->skb->priority = (tid > 7) ? 0 : tid; 287 } 288 289 static void ieee80211_verify_ip_alignment(struct ieee80211_rx_data *rx) 290 { 291 #ifdef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT 292 int hdrlen; 293 294 if (!WLAN_FC_DATA_PRESENT(rx->fc)) 295 return; 296 297 /* 298 * Drivers are required to align the payload data in a way that 299 * guarantees that the contained IP header is aligned to a four- 300 * byte boundary. In the case of regular frames, this simply means 301 * aligning the payload to a four-byte boundary (because either 302 * the IP header is directly contained, or IV/RFC1042 headers that 303 * have a length divisible by four are in front of it. 304 * 305 * With A-MSDU frames, however, the payload data address must 306 * yield two modulo four because there are 14-byte 802.3 headers 307 * within the A-MSDU frames that push the IP header further back 308 * to a multiple of four again. Thankfully, the specs were sane 309 * enough this time around to require padding each A-MSDU subframe 310 * to a length that is a multiple of four. 311 * 312 * Padding like atheros hardware adds which is inbetween the 802.11 313 * header and the payload is not supported, the driver is required 314 * to move the 802.11 header further back in that case. 315 */ 316 hdrlen = ieee80211_get_hdrlen(rx->fc); 317 if (rx->flags & IEEE80211_RX_AMSDU) 318 hdrlen += ETH_HLEN; 319 WARN_ON_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3); 320 #endif 321 } 322 323 324 static u32 ieee80211_rx_load_stats(struct ieee80211_local *local, 325 struct sk_buff *skb, 326 struct ieee80211_rx_status *status, 327 struct ieee80211_rate *rate) 328 { 329 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 330 u32 load = 0, hdrtime; 331 332 /* Estimate total channel use caused by this frame */ 333 334 /* 1 bit at 1 Mbit/s takes 1 usec; in channel_use values, 335 * 1 usec = 1/8 * (1080 / 10) = 13.5 */ 336 337 if (status->band == IEEE80211_BAND_5GHZ || 338 (status->band == IEEE80211_BAND_5GHZ && 339 rate->flags & IEEE80211_RATE_ERP_G)) 340 hdrtime = CHAN_UTIL_HDR_SHORT; 341 else 342 hdrtime = CHAN_UTIL_HDR_LONG; 343 344 load = hdrtime; 345 if (!is_multicast_ether_addr(hdr->addr1)) 346 load += hdrtime; 347 348 /* TODO: optimise again */ 349 load += skb->len * CHAN_UTIL_RATE_LCM / rate->bitrate; 350 351 /* Divide channel_use by 8 to avoid wrapping around the counter */ 352 load >>= CHAN_UTIL_SHIFT; 353 354 return load; 355 } 356 357 /* rx handlers */ 358 359 static ieee80211_rx_result 360 ieee80211_rx_h_if_stats(struct ieee80211_rx_data *rx) 361 { 362 if (rx->sta) 363 rx->sta->channel_use_raw += rx->load; 364 rx->sdata->channel_use_raw += rx->load; 365 return RX_CONTINUE; 366 } 367 368 static ieee80211_rx_result 369 ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx) 370 { 371 struct ieee80211_local *local = rx->local; 372 struct sk_buff *skb = rx->skb; 373 374 if (unlikely(local->sta_hw_scanning)) 375 return ieee80211_sta_rx_scan(rx->dev, skb, rx->status); 376 377 if (unlikely(local->sta_sw_scanning)) { 378 /* drop all the other packets during a software scan anyway */ 379 if (ieee80211_sta_rx_scan(rx->dev, skb, rx->status) 380 != RX_QUEUED) 381 dev_kfree_skb(skb); 382 return RX_QUEUED; 383 } 384 385 if (unlikely(rx->flags & IEEE80211_RX_IN_SCAN)) { 386 /* scanning finished during invoking of handlers */ 387 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan); 388 return RX_DROP_UNUSABLE; 389 } 390 391 return RX_CONTINUE; 392 } 393 394 static ieee80211_rx_result 395 ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) 396 { 397 int hdrlen = ieee80211_get_hdrlen(rx->fc); 398 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 399 400 #define msh_h_get(h, l) ((struct ieee80211s_hdr *) ((u8 *)h + l)) 401 402 if ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA) { 403 if (!((rx->fc & IEEE80211_FCTL_FROMDS) && 404 (rx->fc & IEEE80211_FCTL_TODS))) 405 return RX_DROP_MONITOR; 406 if (memcmp(hdr->addr4, rx->dev->dev_addr, ETH_ALEN) == 0) 407 return RX_DROP_MONITOR; 408 } 409 410 /* If there is not an established peer link and this is not a peer link 411 * establisment frame, beacon or probe, drop the frame. 412 */ 413 414 if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) { 415 struct ieee80211_mgmt *mgmt; 416 417 if ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) 418 return RX_DROP_MONITOR; 419 420 switch (rx->fc & IEEE80211_FCTL_STYPE) { 421 case IEEE80211_STYPE_ACTION: 422 mgmt = (struct ieee80211_mgmt *)hdr; 423 if (mgmt->u.action.category != PLINK_CATEGORY) 424 return RX_DROP_MONITOR; 425 /* fall through on else */ 426 case IEEE80211_STYPE_PROBE_REQ: 427 case IEEE80211_STYPE_PROBE_RESP: 428 case IEEE80211_STYPE_BEACON: 429 return RX_CONTINUE; 430 break; 431 default: 432 return RX_DROP_MONITOR; 433 } 434 435 } else if ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA && 436 is_multicast_ether_addr(hdr->addr1) && 437 mesh_rmc_check(hdr->addr4, msh_h_get(hdr, hdrlen), rx->dev)) 438 return RX_DROP_MONITOR; 439 #undef msh_h_get 440 441 return RX_CONTINUE; 442 } 443 444 445 static ieee80211_rx_result 446 ieee80211_rx_h_check(struct ieee80211_rx_data *rx) 447 { 448 struct ieee80211_hdr *hdr; 449 450 hdr = (struct ieee80211_hdr *) rx->skb->data; 451 452 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 453 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 454 if (unlikely(rx->fc & IEEE80211_FCTL_RETRY && 455 rx->sta->last_seq_ctrl[rx->queue] == 456 hdr->seq_ctrl)) { 457 if (rx->flags & IEEE80211_RX_RA_MATCH) { 458 rx->local->dot11FrameDuplicateCount++; 459 rx->sta->num_duplicates++; 460 } 461 return RX_DROP_MONITOR; 462 } else 463 rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl; 464 } 465 466 if (unlikely(rx->skb->len < 16)) { 467 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 468 return RX_DROP_MONITOR; 469 } 470 471 /* Drop disallowed frame classes based on STA auth/assoc state; 472 * IEEE 802.11, Chap 5.5. 473 * 474 * 80211.o does filtering only based on association state, i.e., it 475 * drops Class 3 frames from not associated stations. hostapd sends 476 * deauth/disassoc frames when needed. In addition, hostapd is 477 * responsible for filtering on both auth and assoc states. 478 */ 479 480 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 481 return ieee80211_rx_mesh_check(rx); 482 483 if (unlikely(((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA || 484 ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_CTL && 485 (rx->fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL)) && 486 rx->sdata->vif.type != IEEE80211_IF_TYPE_IBSS && 487 (!rx->sta || !(rx->sta->flags & WLAN_STA_ASSOC)))) { 488 if ((!(rx->fc & IEEE80211_FCTL_FROMDS) && 489 !(rx->fc & IEEE80211_FCTL_TODS) && 490 (rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA) 491 || !(rx->flags & IEEE80211_RX_RA_MATCH)) { 492 /* Drop IBSS frames and frames for other hosts 493 * silently. */ 494 return RX_DROP_MONITOR; 495 } 496 497 return RX_DROP_MONITOR; 498 } 499 500 return RX_CONTINUE; 501 } 502 503 504 static ieee80211_rx_result 505 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 506 { 507 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 508 int keyidx; 509 int hdrlen; 510 ieee80211_rx_result result = RX_DROP_UNUSABLE; 511 struct ieee80211_key *stakey = NULL; 512 513 /* 514 * Key selection 101 515 * 516 * There are three types of keys: 517 * - GTK (group keys) 518 * - PTK (pairwise keys) 519 * - STK (station-to-station pairwise keys) 520 * 521 * When selecting a key, we have to distinguish between multicast 522 * (including broadcast) and unicast frames, the latter can only 523 * use PTKs and STKs while the former always use GTKs. Unless, of 524 * course, actual WEP keys ("pre-RSNA") are used, then unicast 525 * frames can also use key indizes like GTKs. Hence, if we don't 526 * have a PTK/STK we check the key index for a WEP key. 527 * 528 * Note that in a regular BSS, multicast frames are sent by the 529 * AP only, associated stations unicast the frame to the AP first 530 * which then multicasts it on their behalf. 531 * 532 * There is also a slight problem in IBSS mode: GTKs are negotiated 533 * with each station, that is something we don't currently handle. 534 * The spec seems to expect that one negotiates the same key with 535 * every station but there's no such requirement; VLANs could be 536 * possible. 537 */ 538 539 if (!(rx->fc & IEEE80211_FCTL_PROTECTED)) 540 return RX_CONTINUE; 541 542 /* 543 * No point in finding a key and decrypting if the frame is neither 544 * addressed to us nor a multicast frame. 545 */ 546 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 547 return RX_CONTINUE; 548 549 if (rx->sta) 550 stakey = rcu_dereference(rx->sta->key); 551 552 if (!is_multicast_ether_addr(hdr->addr1) && stakey) { 553 rx->key = stakey; 554 } else { 555 /* 556 * The device doesn't give us the IV so we won't be 557 * able to look up the key. That's ok though, we 558 * don't need to decrypt the frame, we just won't 559 * be able to keep statistics accurate. 560 * Except for key threshold notifications, should 561 * we somehow allow the driver to tell us which key 562 * the hardware used if this flag is set? 563 */ 564 if ((rx->status->flag & RX_FLAG_DECRYPTED) && 565 (rx->status->flag & RX_FLAG_IV_STRIPPED)) 566 return RX_CONTINUE; 567 568 hdrlen = ieee80211_get_hdrlen(rx->fc); 569 570 if (rx->skb->len < 8 + hdrlen) 571 return RX_DROP_UNUSABLE; /* TODO: count this? */ 572 573 /* 574 * no need to call ieee80211_wep_get_keyidx, 575 * it verifies a bunch of things we've done already 576 */ 577 keyidx = rx->skb->data[hdrlen + 3] >> 6; 578 579 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 580 581 /* 582 * RSNA-protected unicast frames should always be sent with 583 * pairwise or station-to-station keys, but for WEP we allow 584 * using a key index as well. 585 */ 586 if (rx->key && rx->key->conf.alg != ALG_WEP && 587 !is_multicast_ether_addr(hdr->addr1)) 588 rx->key = NULL; 589 } 590 591 if (rx->key) { 592 rx->key->tx_rx_count++; 593 /* TODO: add threshold stuff again */ 594 } else { 595 #ifdef CONFIG_MAC80211_DEBUG 596 if (net_ratelimit()) 597 printk(KERN_DEBUG "%s: RX protected frame," 598 " but have no key\n", rx->dev->name); 599 #endif /* CONFIG_MAC80211_DEBUG */ 600 return RX_DROP_MONITOR; 601 } 602 603 /* Check for weak IVs if possible */ 604 if (rx->sta && rx->key->conf.alg == ALG_WEP && 605 ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA) && 606 (!(rx->status->flag & RX_FLAG_IV_STRIPPED) || 607 !(rx->status->flag & RX_FLAG_DECRYPTED)) && 608 ieee80211_wep_is_weak_iv(rx->skb, rx->key)) 609 rx->sta->wep_weak_iv_count++; 610 611 switch (rx->key->conf.alg) { 612 case ALG_WEP: 613 result = ieee80211_crypto_wep_decrypt(rx); 614 break; 615 case ALG_TKIP: 616 result = ieee80211_crypto_tkip_decrypt(rx); 617 break; 618 case ALG_CCMP: 619 result = ieee80211_crypto_ccmp_decrypt(rx); 620 break; 621 } 622 623 /* either the frame has been decrypted or will be dropped */ 624 rx->status->flag |= RX_FLAG_DECRYPTED; 625 626 return result; 627 } 628 629 static void ap_sta_ps_start(struct net_device *dev, struct sta_info *sta) 630 { 631 struct ieee80211_sub_if_data *sdata; 632 DECLARE_MAC_BUF(mac); 633 634 sdata = sta->sdata; 635 636 if (sdata->bss) 637 atomic_inc(&sdata->bss->num_sta_ps); 638 sta->flags |= WLAN_STA_PS; 639 sta->flags &= ~WLAN_STA_PSPOLL; 640 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 641 printk(KERN_DEBUG "%s: STA %s aid %d enters power save mode\n", 642 dev->name, print_mac(mac, sta->addr), sta->aid); 643 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 644 } 645 646 static int ap_sta_ps_end(struct net_device *dev, struct sta_info *sta) 647 { 648 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 649 struct sk_buff *skb; 650 int sent = 0; 651 struct ieee80211_sub_if_data *sdata; 652 struct ieee80211_tx_packet_data *pkt_data; 653 DECLARE_MAC_BUF(mac); 654 655 sdata = sta->sdata; 656 657 if (sdata->bss) 658 atomic_dec(&sdata->bss->num_sta_ps); 659 660 sta->flags &= ~(WLAN_STA_PS | WLAN_STA_PSPOLL); 661 662 if (!skb_queue_empty(&sta->ps_tx_buf)) 663 sta_info_clear_tim_bit(sta); 664 665 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 666 printk(KERN_DEBUG "%s: STA %s aid %d exits power save mode\n", 667 dev->name, print_mac(mac, sta->addr), sta->aid); 668 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 669 670 /* Send all buffered frames to the station */ 671 while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) { 672 pkt_data = (struct ieee80211_tx_packet_data *) skb->cb; 673 sent++; 674 pkt_data->flags |= IEEE80211_TXPD_REQUEUE; 675 dev_queue_xmit(skb); 676 } 677 while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) { 678 pkt_data = (struct ieee80211_tx_packet_data *) skb->cb; 679 local->total_ps_buffered--; 680 sent++; 681 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 682 printk(KERN_DEBUG "%s: STA %s aid %d send PS frame " 683 "since STA not sleeping anymore\n", dev->name, 684 print_mac(mac, sta->addr), sta->aid); 685 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 686 pkt_data->flags |= IEEE80211_TXPD_REQUEUE; 687 dev_queue_xmit(skb); 688 } 689 690 return sent; 691 } 692 693 static ieee80211_rx_result 694 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) 695 { 696 struct sta_info *sta = rx->sta; 697 struct net_device *dev = rx->dev; 698 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 699 700 if (!sta) 701 return RX_CONTINUE; 702 703 /* Update last_rx only for IBSS packets which are for the current 704 * BSSID to avoid keeping the current IBSS network alive in cases where 705 * other STAs are using different BSSID. */ 706 if (rx->sdata->vif.type == IEEE80211_IF_TYPE_IBSS) { 707 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 708 IEEE80211_IF_TYPE_IBSS); 709 if (compare_ether_addr(bssid, rx->sdata->u.sta.bssid) == 0) 710 sta->last_rx = jiffies; 711 } else 712 if (!is_multicast_ether_addr(hdr->addr1) || 713 rx->sdata->vif.type == IEEE80211_IF_TYPE_STA) { 714 /* Update last_rx only for unicast frames in order to prevent 715 * the Probe Request frames (the only broadcast frames from a 716 * STA in infrastructure mode) from keeping a connection alive. 717 * Mesh beacons will update last_rx when if they are found to 718 * match the current local configuration when processed. 719 */ 720 sta->last_rx = jiffies; 721 } 722 723 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 724 return RX_CONTINUE; 725 726 sta->rx_fragments++; 727 sta->rx_bytes += rx->skb->len; 728 sta->last_rssi = rx->status->ssi; 729 sta->last_signal = rx->status->signal; 730 sta->last_noise = rx->status->noise; 731 732 if (!(rx->fc & IEEE80211_FCTL_MOREFRAGS)) { 733 /* Change STA power saving mode only in the end of a frame 734 * exchange sequence */ 735 if ((sta->flags & WLAN_STA_PS) && !(rx->fc & IEEE80211_FCTL_PM)) 736 rx->sent_ps_buffered += ap_sta_ps_end(dev, sta); 737 else if (!(sta->flags & WLAN_STA_PS) && 738 (rx->fc & IEEE80211_FCTL_PM)) 739 ap_sta_ps_start(dev, sta); 740 } 741 742 /* Drop data::nullfunc frames silently, since they are used only to 743 * control station power saving mode. */ 744 if ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA && 745 (rx->fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_NULLFUNC) { 746 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 747 /* Update counter and free packet here to avoid counting this 748 * as a dropped packed. */ 749 sta->rx_packets++; 750 dev_kfree_skb(rx->skb); 751 return RX_QUEUED; 752 } 753 754 return RX_CONTINUE; 755 } /* ieee80211_rx_h_sta_process */ 756 757 static inline struct ieee80211_fragment_entry * 758 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 759 unsigned int frag, unsigned int seq, int rx_queue, 760 struct sk_buff **skb) 761 { 762 struct ieee80211_fragment_entry *entry; 763 int idx; 764 765 idx = sdata->fragment_next; 766 entry = &sdata->fragments[sdata->fragment_next++]; 767 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 768 sdata->fragment_next = 0; 769 770 if (!skb_queue_empty(&entry->skb_list)) { 771 #ifdef CONFIG_MAC80211_DEBUG 772 struct ieee80211_hdr *hdr = 773 (struct ieee80211_hdr *) entry->skb_list.next->data; 774 DECLARE_MAC_BUF(mac); 775 DECLARE_MAC_BUF(mac2); 776 printk(KERN_DEBUG "%s: RX reassembly removed oldest " 777 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d " 778 "addr1=%s addr2=%s\n", 779 sdata->dev->name, idx, 780 jiffies - entry->first_frag_time, entry->seq, 781 entry->last_frag, print_mac(mac, hdr->addr1), 782 print_mac(mac2, hdr->addr2)); 783 #endif /* CONFIG_MAC80211_DEBUG */ 784 __skb_queue_purge(&entry->skb_list); 785 } 786 787 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 788 *skb = NULL; 789 entry->first_frag_time = jiffies; 790 entry->seq = seq; 791 entry->rx_queue = rx_queue; 792 entry->last_frag = frag; 793 entry->ccmp = 0; 794 entry->extra_len = 0; 795 796 return entry; 797 } 798 799 static inline struct ieee80211_fragment_entry * 800 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 801 u16 fc, unsigned int frag, unsigned int seq, 802 int rx_queue, struct ieee80211_hdr *hdr) 803 { 804 struct ieee80211_fragment_entry *entry; 805 int i, idx; 806 807 idx = sdata->fragment_next; 808 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 809 struct ieee80211_hdr *f_hdr; 810 u16 f_fc; 811 812 idx--; 813 if (idx < 0) 814 idx = IEEE80211_FRAGMENT_MAX - 1; 815 816 entry = &sdata->fragments[idx]; 817 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 818 entry->rx_queue != rx_queue || 819 entry->last_frag + 1 != frag) 820 continue; 821 822 f_hdr = (struct ieee80211_hdr *) entry->skb_list.next->data; 823 f_fc = le16_to_cpu(f_hdr->frame_control); 824 825 if ((fc & IEEE80211_FCTL_FTYPE) != (f_fc & IEEE80211_FCTL_FTYPE) || 826 compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 || 827 compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0) 828 continue; 829 830 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 831 __skb_queue_purge(&entry->skb_list); 832 continue; 833 } 834 return entry; 835 } 836 837 return NULL; 838 } 839 840 static ieee80211_rx_result 841 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) 842 { 843 struct ieee80211_hdr *hdr; 844 u16 sc; 845 unsigned int frag, seq; 846 struct ieee80211_fragment_entry *entry; 847 struct sk_buff *skb; 848 DECLARE_MAC_BUF(mac); 849 850 hdr = (struct ieee80211_hdr *) rx->skb->data; 851 sc = le16_to_cpu(hdr->seq_ctrl); 852 frag = sc & IEEE80211_SCTL_FRAG; 853 854 if (likely((!(rx->fc & IEEE80211_FCTL_MOREFRAGS) && frag == 0) || 855 (rx->skb)->len < 24 || 856 is_multicast_ether_addr(hdr->addr1))) { 857 /* not fragmented */ 858 goto out; 859 } 860 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 861 862 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 863 864 if (frag == 0) { 865 /* This is the first fragment of a new frame. */ 866 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 867 rx->queue, &(rx->skb)); 868 if (rx->key && rx->key->conf.alg == ALG_CCMP && 869 (rx->fc & IEEE80211_FCTL_PROTECTED)) { 870 /* Store CCMP PN so that we can verify that the next 871 * fragment has a sequential PN value. */ 872 entry->ccmp = 1; 873 memcpy(entry->last_pn, 874 rx->key->u.ccmp.rx_pn[rx->queue], 875 CCMP_PN_LEN); 876 } 877 return RX_QUEUED; 878 } 879 880 /* This is a fragment for a frame that should already be pending in 881 * fragment cache. Add this fragment to the end of the pending entry. 882 */ 883 entry = ieee80211_reassemble_find(rx->sdata, rx->fc, frag, seq, 884 rx->queue, hdr); 885 if (!entry) { 886 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 887 return RX_DROP_MONITOR; 888 } 889 890 /* Verify that MPDUs within one MSDU have sequential PN values. 891 * (IEEE 802.11i, 8.3.3.4.5) */ 892 if (entry->ccmp) { 893 int i; 894 u8 pn[CCMP_PN_LEN], *rpn; 895 if (!rx->key || rx->key->conf.alg != ALG_CCMP) 896 return RX_DROP_UNUSABLE; 897 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 898 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 899 pn[i]++; 900 if (pn[i]) 901 break; 902 } 903 rpn = rx->key->u.ccmp.rx_pn[rx->queue]; 904 if (memcmp(pn, rpn, CCMP_PN_LEN) != 0) { 905 if (net_ratelimit()) 906 printk(KERN_DEBUG "%s: defrag: CCMP PN not " 907 "sequential A2=%s" 908 " PN=%02x%02x%02x%02x%02x%02x " 909 "(expected %02x%02x%02x%02x%02x%02x)\n", 910 rx->dev->name, print_mac(mac, hdr->addr2), 911 rpn[0], rpn[1], rpn[2], rpn[3], rpn[4], 912 rpn[5], pn[0], pn[1], pn[2], pn[3], 913 pn[4], pn[5]); 914 return RX_DROP_UNUSABLE; 915 } 916 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 917 } 918 919 skb_pull(rx->skb, ieee80211_get_hdrlen(rx->fc)); 920 __skb_queue_tail(&entry->skb_list, rx->skb); 921 entry->last_frag = frag; 922 entry->extra_len += rx->skb->len; 923 if (rx->fc & IEEE80211_FCTL_MOREFRAGS) { 924 rx->skb = NULL; 925 return RX_QUEUED; 926 } 927 928 rx->skb = __skb_dequeue(&entry->skb_list); 929 if (skb_tailroom(rx->skb) < entry->extra_len) { 930 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 931 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 932 GFP_ATOMIC))) { 933 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 934 __skb_queue_purge(&entry->skb_list); 935 return RX_DROP_UNUSABLE; 936 } 937 } 938 while ((skb = __skb_dequeue(&entry->skb_list))) { 939 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 940 dev_kfree_skb(skb); 941 } 942 943 /* Complete frame has been reassembled - process it now */ 944 rx->flags |= IEEE80211_RX_FRAGMENTED; 945 946 out: 947 if (rx->sta) 948 rx->sta->rx_packets++; 949 if (is_multicast_ether_addr(hdr->addr1)) 950 rx->local->dot11MulticastReceivedFrameCount++; 951 else 952 ieee80211_led_rx(rx->local); 953 return RX_CONTINUE; 954 } 955 956 static ieee80211_rx_result 957 ieee80211_rx_h_ps_poll(struct ieee80211_rx_data *rx) 958 { 959 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); 960 struct sk_buff *skb; 961 int no_pending_pkts; 962 DECLARE_MAC_BUF(mac); 963 964 if (likely(!rx->sta || 965 (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_CTL || 966 (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_PSPOLL || 967 !(rx->flags & IEEE80211_RX_RA_MATCH))) 968 return RX_CONTINUE; 969 970 if ((sdata->vif.type != IEEE80211_IF_TYPE_AP) && 971 (sdata->vif.type != IEEE80211_IF_TYPE_VLAN)) 972 return RX_DROP_UNUSABLE; 973 974 skb = skb_dequeue(&rx->sta->tx_filtered); 975 if (!skb) { 976 skb = skb_dequeue(&rx->sta->ps_tx_buf); 977 if (skb) 978 rx->local->total_ps_buffered--; 979 } 980 no_pending_pkts = skb_queue_empty(&rx->sta->tx_filtered) && 981 skb_queue_empty(&rx->sta->ps_tx_buf); 982 983 if (skb) { 984 struct ieee80211_hdr *hdr = 985 (struct ieee80211_hdr *) skb->data; 986 987 /* 988 * Tell TX path to send one frame even though the STA may 989 * still remain is PS mode after this frame exchange. 990 */ 991 rx->sta->flags |= WLAN_STA_PSPOLL; 992 993 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 994 printk(KERN_DEBUG "STA %s aid %d: PS Poll (entries after %d)\n", 995 print_mac(mac, rx->sta->addr), rx->sta->aid, 996 skb_queue_len(&rx->sta->ps_tx_buf)); 997 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 998 999 /* Use MoreData flag to indicate whether there are more 1000 * buffered frames for this STA */ 1001 if (no_pending_pkts) 1002 hdr->frame_control &= cpu_to_le16(~IEEE80211_FCTL_MOREDATA); 1003 else 1004 hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_MOREDATA); 1005 1006 dev_queue_xmit(skb); 1007 1008 if (no_pending_pkts) 1009 sta_info_clear_tim_bit(rx->sta); 1010 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1011 } else if (!rx->sent_ps_buffered) { 1012 /* 1013 * FIXME: This can be the result of a race condition between 1014 * us expiring a frame and the station polling for it. 1015 * Should we send it a null-func frame indicating we 1016 * have nothing buffered for it? 1017 */ 1018 printk(KERN_DEBUG "%s: STA %s sent PS Poll even " 1019 "though there is no buffered frames for it\n", 1020 rx->dev->name, print_mac(mac, rx->sta->addr)); 1021 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1022 } 1023 1024 /* Free PS Poll skb here instead of returning RX_DROP that would 1025 * count as an dropped frame. */ 1026 dev_kfree_skb(rx->skb); 1027 1028 return RX_QUEUED; 1029 } 1030 1031 static ieee80211_rx_result 1032 ieee80211_rx_h_remove_qos_control(struct ieee80211_rx_data *rx) 1033 { 1034 u16 fc = rx->fc; 1035 u8 *data = rx->skb->data; 1036 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) data; 1037 1038 if (!WLAN_FC_IS_QOS_DATA(fc)) 1039 return RX_CONTINUE; 1040 1041 /* remove the qos control field, update frame type and meta-data */ 1042 memmove(data + 2, data, ieee80211_get_hdrlen(fc) - 2); 1043 hdr = (struct ieee80211_hdr *) skb_pull(rx->skb, 2); 1044 /* change frame type to non QOS */ 1045 rx->fc = fc &= ~IEEE80211_STYPE_QOS_DATA; 1046 hdr->frame_control = cpu_to_le16(fc); 1047 1048 return RX_CONTINUE; 1049 } 1050 1051 static int 1052 ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx) 1053 { 1054 if (unlikely(!rx->sta || !(rx->sta->flags & WLAN_STA_AUTHORIZED))) { 1055 #ifdef CONFIG_MAC80211_DEBUG 1056 if (net_ratelimit()) 1057 printk(KERN_DEBUG "%s: dropped frame " 1058 "(unauthorized port)\n", rx->dev->name); 1059 #endif /* CONFIG_MAC80211_DEBUG */ 1060 return -EACCES; 1061 } 1062 1063 return 0; 1064 } 1065 1066 static int 1067 ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx) 1068 { 1069 /* 1070 * Pass through unencrypted frames if the hardware has 1071 * decrypted them already. 1072 */ 1073 if (rx->status->flag & RX_FLAG_DECRYPTED) 1074 return 0; 1075 1076 /* Drop unencrypted frames if key is set. */ 1077 if (unlikely(!(rx->fc & IEEE80211_FCTL_PROTECTED) && 1078 (rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA && 1079 (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_NULLFUNC && 1080 (rx->key || rx->sdata->drop_unencrypted))) 1081 return -EACCES; 1082 1083 return 0; 1084 } 1085 1086 static int 1087 ieee80211_data_to_8023(struct ieee80211_rx_data *rx) 1088 { 1089 struct net_device *dev = rx->dev; 1090 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 1091 u16 fc, hdrlen, ethertype; 1092 u8 *payload; 1093 u8 dst[ETH_ALEN]; 1094 u8 src[ETH_ALEN]; 1095 struct sk_buff *skb = rx->skb; 1096 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); 1097 DECLARE_MAC_BUF(mac); 1098 DECLARE_MAC_BUF(mac2); 1099 DECLARE_MAC_BUF(mac3); 1100 DECLARE_MAC_BUF(mac4); 1101 1102 fc = rx->fc; 1103 1104 if (unlikely(!WLAN_FC_DATA_PRESENT(fc))) 1105 return -1; 1106 1107 hdrlen = ieee80211_get_hdrlen(fc); 1108 1109 if (ieee80211_vif_is_mesh(&sdata->vif)) { 1110 int meshhdrlen = ieee80211_get_mesh_hdrlen( 1111 (struct ieee80211s_hdr *) (skb->data + hdrlen)); 1112 /* Copy on cb: 1113 * - mesh header: to be used for mesh forwarding 1114 * decision. It will also be used as mesh header template at 1115 * tx.c:ieee80211_subif_start_xmit() if interface 1116 * type is mesh and skb->pkt_type == PACKET_OTHERHOST 1117 * - ta: to be used if a RERR needs to be sent. 1118 */ 1119 memcpy(skb->cb, skb->data + hdrlen, meshhdrlen); 1120 memcpy(MESH_PREQ(skb), hdr->addr2, ETH_ALEN); 1121 hdrlen += meshhdrlen; 1122 } 1123 1124 /* convert IEEE 802.11 header + possible LLC headers into Ethernet 1125 * header 1126 * IEEE 802.11 address fields: 1127 * ToDS FromDS Addr1 Addr2 Addr3 Addr4 1128 * 0 0 DA SA BSSID n/a 1129 * 0 1 DA BSSID SA n/a 1130 * 1 0 BSSID SA DA n/a 1131 * 1 1 RA TA DA SA 1132 */ 1133 1134 switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { 1135 case IEEE80211_FCTL_TODS: 1136 /* BSSID SA DA */ 1137 memcpy(dst, hdr->addr3, ETH_ALEN); 1138 memcpy(src, hdr->addr2, ETH_ALEN); 1139 1140 if (unlikely(sdata->vif.type != IEEE80211_IF_TYPE_AP && 1141 sdata->vif.type != IEEE80211_IF_TYPE_VLAN)) { 1142 if (net_ratelimit()) 1143 printk(KERN_DEBUG "%s: dropped ToDS frame " 1144 "(BSSID=%s SA=%s DA=%s)\n", 1145 dev->name, 1146 print_mac(mac, hdr->addr1), 1147 print_mac(mac2, hdr->addr2), 1148 print_mac(mac3, hdr->addr3)); 1149 return -1; 1150 } 1151 break; 1152 case (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS): 1153 /* RA TA DA SA */ 1154 memcpy(dst, hdr->addr3, ETH_ALEN); 1155 memcpy(src, hdr->addr4, ETH_ALEN); 1156 1157 if (unlikely(sdata->vif.type != IEEE80211_IF_TYPE_WDS && 1158 sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT)) { 1159 if (net_ratelimit()) 1160 printk(KERN_DEBUG "%s: dropped FromDS&ToDS " 1161 "frame (RA=%s TA=%s DA=%s SA=%s)\n", 1162 rx->dev->name, 1163 print_mac(mac, hdr->addr1), 1164 print_mac(mac2, hdr->addr2), 1165 print_mac(mac3, hdr->addr3), 1166 print_mac(mac4, hdr->addr4)); 1167 return -1; 1168 } 1169 break; 1170 case IEEE80211_FCTL_FROMDS: 1171 /* DA BSSID SA */ 1172 memcpy(dst, hdr->addr1, ETH_ALEN); 1173 memcpy(src, hdr->addr3, ETH_ALEN); 1174 1175 if (sdata->vif.type != IEEE80211_IF_TYPE_STA || 1176 (is_multicast_ether_addr(dst) && 1177 !compare_ether_addr(src, dev->dev_addr))) 1178 return -1; 1179 break; 1180 case 0: 1181 /* DA SA BSSID */ 1182 memcpy(dst, hdr->addr1, ETH_ALEN); 1183 memcpy(src, hdr->addr2, ETH_ALEN); 1184 1185 if (sdata->vif.type != IEEE80211_IF_TYPE_IBSS) { 1186 if (net_ratelimit()) { 1187 printk(KERN_DEBUG "%s: dropped IBSS frame " 1188 "(DA=%s SA=%s BSSID=%s)\n", 1189 dev->name, 1190 print_mac(mac, hdr->addr1), 1191 print_mac(mac2, hdr->addr2), 1192 print_mac(mac3, hdr->addr3)); 1193 } 1194 return -1; 1195 } 1196 break; 1197 } 1198 1199 if (unlikely(skb->len - hdrlen < 8)) { 1200 if (net_ratelimit()) { 1201 printk(KERN_DEBUG "%s: RX too short data frame " 1202 "payload\n", dev->name); 1203 } 1204 return -1; 1205 } 1206 1207 payload = skb->data + hdrlen; 1208 ethertype = (payload[6] << 8) | payload[7]; 1209 1210 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 && 1211 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1212 compare_ether_addr(payload, bridge_tunnel_header) == 0)) { 1213 /* remove RFC1042 or Bridge-Tunnel encapsulation and 1214 * replace EtherType */ 1215 skb_pull(skb, hdrlen + 6); 1216 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1217 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1218 } else { 1219 struct ethhdr *ehdr; 1220 __be16 len; 1221 1222 skb_pull(skb, hdrlen); 1223 len = htons(skb->len); 1224 ehdr = (struct ethhdr *) skb_push(skb, sizeof(struct ethhdr)); 1225 memcpy(ehdr->h_dest, dst, ETH_ALEN); 1226 memcpy(ehdr->h_source, src, ETH_ALEN); 1227 ehdr->h_proto = len; 1228 } 1229 return 0; 1230 } 1231 1232 /* 1233 * requires that rx->skb is a frame with ethernet header 1234 */ 1235 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx) 1236 { 1237 static const u8 pae_group_addr[ETH_ALEN] 1238 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1239 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1240 1241 /* 1242 * Allow EAPOL frames to us/the PAE group address regardless 1243 * of whether the frame was encrypted or not. 1244 */ 1245 if (ehdr->h_proto == htons(ETH_P_PAE) && 1246 (compare_ether_addr(ehdr->h_dest, rx->dev->dev_addr) == 0 || 1247 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0)) 1248 return true; 1249 1250 if (ieee80211_802_1x_port_control(rx) || 1251 ieee80211_drop_unencrypted(rx)) 1252 return false; 1253 1254 return true; 1255 } 1256 1257 /* 1258 * requires that rx->skb is a frame with ethernet header 1259 */ 1260 static void 1261 ieee80211_deliver_skb(struct ieee80211_rx_data *rx) 1262 { 1263 struct net_device *dev = rx->dev; 1264 struct ieee80211_local *local = rx->local; 1265 struct sk_buff *skb, *xmit_skb; 1266 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); 1267 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1268 struct sta_info *dsta; 1269 1270 skb = rx->skb; 1271 xmit_skb = NULL; 1272 1273 if (local->bridge_packets && (sdata->vif.type == IEEE80211_IF_TYPE_AP || 1274 sdata->vif.type == IEEE80211_IF_TYPE_VLAN) && 1275 (rx->flags & IEEE80211_RX_RA_MATCH)) { 1276 if (is_multicast_ether_addr(ehdr->h_dest)) { 1277 /* 1278 * send multicast frames both to higher layers in 1279 * local net stack and back to the wireless medium 1280 */ 1281 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1282 if (!xmit_skb && net_ratelimit()) 1283 printk(KERN_DEBUG "%s: failed to clone " 1284 "multicast frame\n", dev->name); 1285 } else { 1286 dsta = sta_info_get(local, skb->data); 1287 if (dsta && dsta->sdata->dev == dev) { 1288 /* 1289 * The destination station is associated to 1290 * this AP (in this VLAN), so send the frame 1291 * directly to it and do not pass it to local 1292 * net stack. 1293 */ 1294 xmit_skb = skb; 1295 skb = NULL; 1296 } 1297 } 1298 } 1299 1300 /* Mesh forwarding */ 1301 if (ieee80211_vif_is_mesh(&sdata->vif)) { 1302 u8 *mesh_ttl = &((struct ieee80211s_hdr *)skb->cb)->ttl; 1303 (*mesh_ttl)--; 1304 1305 if (is_multicast_ether_addr(skb->data)) { 1306 if (*mesh_ttl > 0) { 1307 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1308 if (xmit_skb) 1309 xmit_skb->pkt_type = PACKET_OTHERHOST; 1310 else if (net_ratelimit()) 1311 printk(KERN_DEBUG "%s: failed to clone " 1312 "multicast frame\n", dev->name); 1313 } else 1314 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.sta, 1315 dropped_frames_ttl); 1316 } else if (skb->pkt_type != PACKET_OTHERHOST && 1317 compare_ether_addr(dev->dev_addr, skb->data) != 0) { 1318 if (*mesh_ttl == 0) { 1319 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.sta, 1320 dropped_frames_ttl); 1321 dev_kfree_skb(skb); 1322 skb = NULL; 1323 } else { 1324 xmit_skb = skb; 1325 xmit_skb->pkt_type = PACKET_OTHERHOST; 1326 if (!(dev->flags & IFF_PROMISC)) 1327 skb = NULL; 1328 } 1329 } 1330 } 1331 1332 if (skb) { 1333 /* deliver to local stack */ 1334 skb->protocol = eth_type_trans(skb, dev); 1335 memset(skb->cb, 0, sizeof(skb->cb)); 1336 netif_rx(skb); 1337 } 1338 1339 if (xmit_skb) { 1340 /* send to wireless media */ 1341 xmit_skb->protocol = htons(ETH_P_802_3); 1342 skb_reset_network_header(xmit_skb); 1343 skb_reset_mac_header(xmit_skb); 1344 dev_queue_xmit(xmit_skb); 1345 } 1346 } 1347 1348 static ieee80211_rx_result 1349 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 1350 { 1351 struct net_device *dev = rx->dev; 1352 struct ieee80211_local *local = rx->local; 1353 u16 fc, ethertype; 1354 u8 *payload; 1355 struct sk_buff *skb = rx->skb, *frame = NULL; 1356 const struct ethhdr *eth; 1357 int remaining, err; 1358 u8 dst[ETH_ALEN]; 1359 u8 src[ETH_ALEN]; 1360 DECLARE_MAC_BUF(mac); 1361 1362 fc = rx->fc; 1363 if (unlikely((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA)) 1364 return RX_CONTINUE; 1365 1366 if (unlikely(!WLAN_FC_DATA_PRESENT(fc))) 1367 return RX_DROP_MONITOR; 1368 1369 if (!(rx->flags & IEEE80211_RX_AMSDU)) 1370 return RX_CONTINUE; 1371 1372 err = ieee80211_data_to_8023(rx); 1373 if (unlikely(err)) 1374 return RX_DROP_UNUSABLE; 1375 1376 skb->dev = dev; 1377 1378 dev->stats.rx_packets++; 1379 dev->stats.rx_bytes += skb->len; 1380 1381 /* skip the wrapping header */ 1382 eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr)); 1383 if (!eth) 1384 return RX_DROP_UNUSABLE; 1385 1386 while (skb != frame) { 1387 u8 padding; 1388 __be16 len = eth->h_proto; 1389 unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len); 1390 1391 remaining = skb->len; 1392 memcpy(dst, eth->h_dest, ETH_ALEN); 1393 memcpy(src, eth->h_source, ETH_ALEN); 1394 1395 padding = ((4 - subframe_len) & 0x3); 1396 /* the last MSDU has no padding */ 1397 if (subframe_len > remaining) { 1398 printk(KERN_DEBUG "%s: wrong buffer size\n", dev->name); 1399 return RX_DROP_UNUSABLE; 1400 } 1401 1402 skb_pull(skb, sizeof(struct ethhdr)); 1403 /* if last subframe reuse skb */ 1404 if (remaining <= subframe_len + padding) 1405 frame = skb; 1406 else { 1407 frame = dev_alloc_skb(local->hw.extra_tx_headroom + 1408 subframe_len); 1409 1410 if (frame == NULL) 1411 return RX_DROP_UNUSABLE; 1412 1413 skb_reserve(frame, local->hw.extra_tx_headroom + 1414 sizeof(struct ethhdr)); 1415 memcpy(skb_put(frame, ntohs(len)), skb->data, 1416 ntohs(len)); 1417 1418 eth = (struct ethhdr *) skb_pull(skb, ntohs(len) + 1419 padding); 1420 if (!eth) { 1421 printk(KERN_DEBUG "%s: wrong buffer size\n", 1422 dev->name); 1423 dev_kfree_skb(frame); 1424 return RX_DROP_UNUSABLE; 1425 } 1426 } 1427 1428 skb_reset_network_header(frame); 1429 frame->dev = dev; 1430 frame->priority = skb->priority; 1431 rx->skb = frame; 1432 1433 payload = frame->data; 1434 ethertype = (payload[6] << 8) | payload[7]; 1435 1436 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 && 1437 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1438 compare_ether_addr(payload, 1439 bridge_tunnel_header) == 0)) { 1440 /* remove RFC1042 or Bridge-Tunnel 1441 * encapsulation and replace EtherType */ 1442 skb_pull(frame, 6); 1443 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1444 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1445 } else { 1446 memcpy(skb_push(frame, sizeof(__be16)), 1447 &len, sizeof(__be16)); 1448 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1449 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1450 } 1451 1452 if (!ieee80211_frame_allowed(rx)) { 1453 if (skb == frame) /* last frame */ 1454 return RX_DROP_UNUSABLE; 1455 dev_kfree_skb(frame); 1456 continue; 1457 } 1458 1459 ieee80211_deliver_skb(rx); 1460 } 1461 1462 return RX_QUEUED; 1463 } 1464 1465 static ieee80211_rx_result 1466 ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 1467 { 1468 struct net_device *dev = rx->dev; 1469 u16 fc; 1470 int err; 1471 1472 fc = rx->fc; 1473 if (unlikely((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA)) 1474 return RX_CONTINUE; 1475 1476 if (unlikely(!WLAN_FC_DATA_PRESENT(fc))) 1477 return RX_DROP_MONITOR; 1478 1479 err = ieee80211_data_to_8023(rx); 1480 if (unlikely(err)) 1481 return RX_DROP_UNUSABLE; 1482 1483 if (!ieee80211_frame_allowed(rx)) 1484 return RX_DROP_MONITOR; 1485 1486 rx->skb->dev = dev; 1487 1488 dev->stats.rx_packets++; 1489 dev->stats.rx_bytes += rx->skb->len; 1490 1491 ieee80211_deliver_skb(rx); 1492 1493 return RX_QUEUED; 1494 } 1495 1496 static ieee80211_rx_result 1497 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx) 1498 { 1499 struct ieee80211_local *local = rx->local; 1500 struct ieee80211_hw *hw = &local->hw; 1501 struct sk_buff *skb = rx->skb; 1502 struct ieee80211_bar *bar = (struct ieee80211_bar *) skb->data; 1503 struct tid_ampdu_rx *tid_agg_rx; 1504 u16 start_seq_num; 1505 u16 tid; 1506 1507 if (likely((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_CTL)) 1508 return RX_CONTINUE; 1509 1510 if ((rx->fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_BACK_REQ) { 1511 if (!rx->sta) 1512 return RX_CONTINUE; 1513 tid = le16_to_cpu(bar->control) >> 12; 1514 if (rx->sta->ampdu_mlme.tid_state_rx[tid] 1515 != HT_AGG_STATE_OPERATIONAL) 1516 return RX_CONTINUE; 1517 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid]; 1518 1519 start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4; 1520 1521 /* reset session timer */ 1522 if (tid_agg_rx->timeout) { 1523 unsigned long expires = 1524 jiffies + (tid_agg_rx->timeout / 1000) * HZ; 1525 mod_timer(&tid_agg_rx->session_timer, expires); 1526 } 1527 1528 /* manage reordering buffer according to requested */ 1529 /* sequence number */ 1530 rcu_read_lock(); 1531 ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, 1532 start_seq_num, 1); 1533 rcu_read_unlock(); 1534 return RX_DROP_UNUSABLE; 1535 } 1536 1537 return RX_CONTINUE; 1538 } 1539 1540 static ieee80211_rx_result 1541 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 1542 { 1543 struct ieee80211_sub_if_data *sdata; 1544 1545 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1546 return RX_DROP_MONITOR; 1547 1548 sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); 1549 if ((sdata->vif.type == IEEE80211_IF_TYPE_STA || 1550 sdata->vif.type == IEEE80211_IF_TYPE_IBSS || 1551 sdata->vif.type == IEEE80211_IF_TYPE_MESH_POINT) && 1552 !(sdata->flags & IEEE80211_SDATA_USERSPACE_MLME)) 1553 ieee80211_sta_rx_mgmt(rx->dev, rx->skb, rx->status); 1554 else 1555 return RX_DROP_MONITOR; 1556 1557 return RX_QUEUED; 1558 } 1559 1560 static void ieee80211_rx_michael_mic_report(struct net_device *dev, 1561 struct ieee80211_hdr *hdr, 1562 struct ieee80211_rx_data *rx) 1563 { 1564 int keyidx, hdrlen; 1565 DECLARE_MAC_BUF(mac); 1566 DECLARE_MAC_BUF(mac2); 1567 1568 hdrlen = ieee80211_get_hdrlen_from_skb(rx->skb); 1569 if (rx->skb->len >= hdrlen + 4) 1570 keyidx = rx->skb->data[hdrlen + 3] >> 6; 1571 else 1572 keyidx = -1; 1573 1574 if (net_ratelimit()) 1575 printk(KERN_DEBUG "%s: TKIP hwaccel reported Michael MIC " 1576 "failure from %s to %s keyidx=%d\n", 1577 dev->name, print_mac(mac, hdr->addr2), 1578 print_mac(mac2, hdr->addr1), keyidx); 1579 1580 if (!rx->sta) { 1581 /* 1582 * Some hardware seem to generate incorrect Michael MIC 1583 * reports; ignore them to avoid triggering countermeasures. 1584 */ 1585 if (net_ratelimit()) 1586 printk(KERN_DEBUG "%s: ignored spurious Michael MIC " 1587 "error for unknown address %s\n", 1588 dev->name, print_mac(mac, hdr->addr2)); 1589 goto ignore; 1590 } 1591 1592 if (!(rx->fc & IEEE80211_FCTL_PROTECTED)) { 1593 if (net_ratelimit()) 1594 printk(KERN_DEBUG "%s: ignored spurious Michael MIC " 1595 "error for a frame with no PROTECTED flag (src " 1596 "%s)\n", dev->name, print_mac(mac, hdr->addr2)); 1597 goto ignore; 1598 } 1599 1600 if (rx->sdata->vif.type == IEEE80211_IF_TYPE_AP && keyidx) { 1601 /* 1602 * APs with pairwise keys should never receive Michael MIC 1603 * errors for non-zero keyidx because these are reserved for 1604 * group keys and only the AP is sending real multicast 1605 * frames in the BSS. 1606 */ 1607 if (net_ratelimit()) 1608 printk(KERN_DEBUG "%s: ignored Michael MIC error for " 1609 "a frame with non-zero keyidx (%d)" 1610 " (src %s)\n", dev->name, keyidx, 1611 print_mac(mac, hdr->addr2)); 1612 goto ignore; 1613 } 1614 1615 if ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA && 1616 ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT || 1617 (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_AUTH)) { 1618 if (net_ratelimit()) 1619 printk(KERN_DEBUG "%s: ignored spurious Michael MIC " 1620 "error for a frame that cannot be encrypted " 1621 "(fc=0x%04x) (src %s)\n", 1622 dev->name, rx->fc, print_mac(mac, hdr->addr2)); 1623 goto ignore; 1624 } 1625 1626 mac80211_ev_michael_mic_failure(rx->dev, keyidx, hdr); 1627 ignore: 1628 dev_kfree_skb(rx->skb); 1629 rx->skb = NULL; 1630 } 1631 1632 /* TODO: use IEEE80211_RX_FRAGMENTED */ 1633 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx) 1634 { 1635 struct ieee80211_sub_if_data *sdata; 1636 struct ieee80211_local *local = rx->local; 1637 struct ieee80211_rtap_hdr { 1638 struct ieee80211_radiotap_header hdr; 1639 u8 flags; 1640 u8 rate; 1641 __le16 chan_freq; 1642 __le16 chan_flags; 1643 } __attribute__ ((packed)) *rthdr; 1644 struct sk_buff *skb = rx->skb, *skb2; 1645 struct net_device *prev_dev = NULL; 1646 struct ieee80211_rx_status *status = rx->status; 1647 1648 if (rx->flags & IEEE80211_RX_CMNTR_REPORTED) 1649 goto out_free_skb; 1650 1651 if (skb_headroom(skb) < sizeof(*rthdr) && 1652 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) 1653 goto out_free_skb; 1654 1655 rthdr = (void *)skb_push(skb, sizeof(*rthdr)); 1656 memset(rthdr, 0, sizeof(*rthdr)); 1657 rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr)); 1658 rthdr->hdr.it_present = 1659 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 1660 (1 << IEEE80211_RADIOTAP_RATE) | 1661 (1 << IEEE80211_RADIOTAP_CHANNEL)); 1662 1663 rthdr->rate = rx->rate->bitrate / 5; 1664 rthdr->chan_freq = cpu_to_le16(status->freq); 1665 1666 if (status->band == IEEE80211_BAND_5GHZ) 1667 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_OFDM | 1668 IEEE80211_CHAN_5GHZ); 1669 else 1670 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_DYN | 1671 IEEE80211_CHAN_2GHZ); 1672 1673 skb_set_mac_header(skb, 0); 1674 skb->ip_summed = CHECKSUM_UNNECESSARY; 1675 skb->pkt_type = PACKET_OTHERHOST; 1676 skb->protocol = htons(ETH_P_802_2); 1677 1678 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 1679 if (!netif_running(sdata->dev)) 1680 continue; 1681 1682 if (sdata->vif.type != IEEE80211_IF_TYPE_MNTR || 1683 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)) 1684 continue; 1685 1686 if (prev_dev) { 1687 skb2 = skb_clone(skb, GFP_ATOMIC); 1688 if (skb2) { 1689 skb2->dev = prev_dev; 1690 netif_rx(skb2); 1691 } 1692 } 1693 1694 prev_dev = sdata->dev; 1695 sdata->dev->stats.rx_packets++; 1696 sdata->dev->stats.rx_bytes += skb->len; 1697 } 1698 1699 if (prev_dev) { 1700 skb->dev = prev_dev; 1701 netif_rx(skb); 1702 skb = NULL; 1703 } else 1704 goto out_free_skb; 1705 1706 rx->flags |= IEEE80211_RX_CMNTR_REPORTED; 1707 return; 1708 1709 out_free_skb: 1710 dev_kfree_skb(skb); 1711 } 1712 1713 typedef ieee80211_rx_result (*ieee80211_rx_handler)(struct ieee80211_rx_data *); 1714 static ieee80211_rx_handler ieee80211_rx_handlers[] = 1715 { 1716 ieee80211_rx_h_if_stats, 1717 ieee80211_rx_h_passive_scan, 1718 ieee80211_rx_h_check, 1719 ieee80211_rx_h_decrypt, 1720 ieee80211_rx_h_sta_process, 1721 ieee80211_rx_h_defragment, 1722 ieee80211_rx_h_ps_poll, 1723 ieee80211_rx_h_michael_mic_verify, 1724 /* this must be after decryption - so header is counted in MPDU mic 1725 * must be before pae and data, so QOS_DATA format frames 1726 * are not passed to user space by these functions 1727 */ 1728 ieee80211_rx_h_remove_qos_control, 1729 ieee80211_rx_h_amsdu, 1730 ieee80211_rx_h_data, 1731 ieee80211_rx_h_ctrl, 1732 ieee80211_rx_h_mgmt, 1733 NULL 1734 }; 1735 1736 static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata, 1737 struct ieee80211_rx_data *rx, 1738 struct sk_buff *skb) 1739 { 1740 ieee80211_rx_handler *handler; 1741 ieee80211_rx_result res = RX_DROP_MONITOR; 1742 1743 rx->skb = skb; 1744 rx->sdata = sdata; 1745 rx->dev = sdata->dev; 1746 1747 for (handler = ieee80211_rx_handlers; *handler != NULL; handler++) { 1748 res = (*handler)(rx); 1749 1750 switch (res) { 1751 case RX_CONTINUE: 1752 continue; 1753 case RX_DROP_UNUSABLE: 1754 case RX_DROP_MONITOR: 1755 I802_DEBUG_INC(sdata->local->rx_handlers_drop); 1756 if (rx->sta) 1757 rx->sta->rx_dropped++; 1758 break; 1759 case RX_QUEUED: 1760 I802_DEBUG_INC(sdata->local->rx_handlers_queued); 1761 break; 1762 } 1763 break; 1764 } 1765 1766 switch (res) { 1767 case RX_CONTINUE: 1768 case RX_DROP_MONITOR: 1769 ieee80211_rx_cooked_monitor(rx); 1770 break; 1771 case RX_DROP_UNUSABLE: 1772 dev_kfree_skb(rx->skb); 1773 break; 1774 } 1775 } 1776 1777 /* main receive path */ 1778 1779 static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata, 1780 u8 *bssid, struct ieee80211_rx_data *rx, 1781 struct ieee80211_hdr *hdr) 1782 { 1783 int multicast = is_multicast_ether_addr(hdr->addr1); 1784 1785 switch (sdata->vif.type) { 1786 case IEEE80211_IF_TYPE_STA: 1787 if (!bssid) 1788 return 0; 1789 if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) { 1790 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 1791 return 0; 1792 rx->flags &= ~IEEE80211_RX_RA_MATCH; 1793 } else if (!multicast && 1794 compare_ether_addr(sdata->dev->dev_addr, 1795 hdr->addr1) != 0) { 1796 if (!(sdata->dev->flags & IFF_PROMISC)) 1797 return 0; 1798 rx->flags &= ~IEEE80211_RX_RA_MATCH; 1799 } 1800 break; 1801 case IEEE80211_IF_TYPE_IBSS: 1802 if (!bssid) 1803 return 0; 1804 if ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT && 1805 (rx->fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_BEACON) 1806 return 1; 1807 else if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) { 1808 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 1809 return 0; 1810 rx->flags &= ~IEEE80211_RX_RA_MATCH; 1811 } else if (!multicast && 1812 compare_ether_addr(sdata->dev->dev_addr, 1813 hdr->addr1) != 0) { 1814 if (!(sdata->dev->flags & IFF_PROMISC)) 1815 return 0; 1816 rx->flags &= ~IEEE80211_RX_RA_MATCH; 1817 } else if (!rx->sta) 1818 rx->sta = ieee80211_ibss_add_sta(sdata->dev, rx->skb, 1819 bssid, hdr->addr2); 1820 break; 1821 case IEEE80211_IF_TYPE_MESH_POINT: 1822 if (!multicast && 1823 compare_ether_addr(sdata->dev->dev_addr, 1824 hdr->addr1) != 0) { 1825 if (!(sdata->dev->flags & IFF_PROMISC)) 1826 return 0; 1827 1828 rx->flags &= ~IEEE80211_RX_RA_MATCH; 1829 } 1830 break; 1831 case IEEE80211_IF_TYPE_VLAN: 1832 case IEEE80211_IF_TYPE_AP: 1833 if (!bssid) { 1834 if (compare_ether_addr(sdata->dev->dev_addr, 1835 hdr->addr1)) 1836 return 0; 1837 } else if (!ieee80211_bssid_match(bssid, 1838 sdata->dev->dev_addr)) { 1839 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 1840 return 0; 1841 rx->flags &= ~IEEE80211_RX_RA_MATCH; 1842 } 1843 if (sdata->dev == sdata->local->mdev && 1844 !(rx->flags & IEEE80211_RX_IN_SCAN)) 1845 /* do not receive anything via 1846 * master device when not scanning */ 1847 return 0; 1848 break; 1849 case IEEE80211_IF_TYPE_WDS: 1850 if (bssid || 1851 (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA) 1852 return 0; 1853 if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2)) 1854 return 0; 1855 break; 1856 case IEEE80211_IF_TYPE_MNTR: 1857 /* take everything */ 1858 break; 1859 case IEEE80211_IF_TYPE_INVALID: 1860 /* should never get here */ 1861 WARN_ON(1); 1862 break; 1863 } 1864 1865 return 1; 1866 } 1867 1868 /* 1869 * This is the actual Rx frames handler. as it blongs to Rx path it must 1870 * be called with rcu_read_lock protection. 1871 */ 1872 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 1873 struct sk_buff *skb, 1874 struct ieee80211_rx_status *status, 1875 u32 load, 1876 struct ieee80211_rate *rate) 1877 { 1878 struct ieee80211_local *local = hw_to_local(hw); 1879 struct ieee80211_sub_if_data *sdata; 1880 struct ieee80211_hdr *hdr; 1881 struct ieee80211_rx_data rx; 1882 u16 type; 1883 int prepares; 1884 struct ieee80211_sub_if_data *prev = NULL; 1885 struct sk_buff *skb_new; 1886 u8 *bssid; 1887 1888 hdr = (struct ieee80211_hdr *) skb->data; 1889 memset(&rx, 0, sizeof(rx)); 1890 rx.skb = skb; 1891 rx.local = local; 1892 1893 rx.status = status; 1894 rx.load = load; 1895 rx.rate = rate; 1896 rx.fc = le16_to_cpu(hdr->frame_control); 1897 type = rx.fc & IEEE80211_FCTL_FTYPE; 1898 1899 if (type == IEEE80211_FTYPE_DATA || type == IEEE80211_FTYPE_MGMT) 1900 local->dot11ReceivedFragmentCount++; 1901 1902 rx.sta = sta_info_get(local, hdr->addr2); 1903 if (rx.sta) { 1904 rx.sdata = rx.sta->sdata; 1905 rx.dev = rx.sta->sdata->dev; 1906 } 1907 1908 if ((status->flag & RX_FLAG_MMIC_ERROR)) { 1909 ieee80211_rx_michael_mic_report(local->mdev, hdr, &rx); 1910 return; 1911 } 1912 1913 if (unlikely(local->sta_sw_scanning || local->sta_hw_scanning)) 1914 rx.flags |= IEEE80211_RX_IN_SCAN; 1915 1916 ieee80211_parse_qos(&rx); 1917 ieee80211_verify_ip_alignment(&rx); 1918 1919 skb = rx.skb; 1920 1921 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 1922 if (!netif_running(sdata->dev)) 1923 continue; 1924 1925 if (sdata->vif.type == IEEE80211_IF_TYPE_MNTR) 1926 continue; 1927 1928 bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type); 1929 rx.flags |= IEEE80211_RX_RA_MATCH; 1930 prepares = prepare_for_handlers(sdata, bssid, &rx, hdr); 1931 1932 if (!prepares) 1933 continue; 1934 1935 /* 1936 * frame is destined for this interface, but if it's not 1937 * also for the previous one we handle that after the 1938 * loop to avoid copying the SKB once too much 1939 */ 1940 1941 if (!prev) { 1942 prev = sdata; 1943 continue; 1944 } 1945 1946 /* 1947 * frame was destined for the previous interface 1948 * so invoke RX handlers for it 1949 */ 1950 1951 skb_new = skb_copy(skb, GFP_ATOMIC); 1952 if (!skb_new) { 1953 if (net_ratelimit()) 1954 printk(KERN_DEBUG "%s: failed to copy " 1955 "multicast frame for %s\n", 1956 wiphy_name(local->hw.wiphy), 1957 prev->dev->name); 1958 continue; 1959 } 1960 rx.fc = le16_to_cpu(hdr->frame_control); 1961 ieee80211_invoke_rx_handlers(prev, &rx, skb_new); 1962 prev = sdata; 1963 } 1964 if (prev) { 1965 rx.fc = le16_to_cpu(hdr->frame_control); 1966 ieee80211_invoke_rx_handlers(prev, &rx, skb); 1967 } else 1968 dev_kfree_skb(skb); 1969 } 1970 1971 #define SEQ_MODULO 0x1000 1972 #define SEQ_MASK 0xfff 1973 1974 static inline int seq_less(u16 sq1, u16 sq2) 1975 { 1976 return (((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1)); 1977 } 1978 1979 static inline u16 seq_inc(u16 sq) 1980 { 1981 return ((sq + 1) & SEQ_MASK); 1982 } 1983 1984 static inline u16 seq_sub(u16 sq1, u16 sq2) 1985 { 1986 return ((sq1 - sq2) & SEQ_MASK); 1987 } 1988 1989 1990 /* 1991 * As it function blongs to Rx path it must be called with 1992 * the proper rcu_read_lock protection for its flow. 1993 */ 1994 u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 1995 struct tid_ampdu_rx *tid_agg_rx, 1996 struct sk_buff *skb, u16 mpdu_seq_num, 1997 int bar_req) 1998 { 1999 struct ieee80211_local *local = hw_to_local(hw); 2000 struct ieee80211_rx_status status; 2001 u16 head_seq_num, buf_size; 2002 int index; 2003 u32 pkt_load; 2004 struct ieee80211_supported_band *sband; 2005 struct ieee80211_rate *rate; 2006 2007 buf_size = tid_agg_rx->buf_size; 2008 head_seq_num = tid_agg_rx->head_seq_num; 2009 2010 /* frame with out of date sequence number */ 2011 if (seq_less(mpdu_seq_num, head_seq_num)) { 2012 dev_kfree_skb(skb); 2013 return 1; 2014 } 2015 2016 /* if frame sequence number exceeds our buffering window size or 2017 * block Ack Request arrived - release stored frames */ 2018 if ((!seq_less(mpdu_seq_num, head_seq_num + buf_size)) || (bar_req)) { 2019 /* new head to the ordering buffer */ 2020 if (bar_req) 2021 head_seq_num = mpdu_seq_num; 2022 else 2023 head_seq_num = 2024 seq_inc(seq_sub(mpdu_seq_num, buf_size)); 2025 /* release stored frames up to new head to stack */ 2026 while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) { 2027 index = seq_sub(tid_agg_rx->head_seq_num, 2028 tid_agg_rx->ssn) 2029 % tid_agg_rx->buf_size; 2030 2031 if (tid_agg_rx->reorder_buf[index]) { 2032 /* release the reordered frames to stack */ 2033 memcpy(&status, 2034 tid_agg_rx->reorder_buf[index]->cb, 2035 sizeof(status)); 2036 sband = local->hw.wiphy->bands[status.band]; 2037 rate = &sband->bitrates[status.rate_idx]; 2038 pkt_load = ieee80211_rx_load_stats(local, 2039 tid_agg_rx->reorder_buf[index], 2040 &status, rate); 2041 __ieee80211_rx_handle_packet(hw, 2042 tid_agg_rx->reorder_buf[index], 2043 &status, pkt_load, rate); 2044 tid_agg_rx->stored_mpdu_num--; 2045 tid_agg_rx->reorder_buf[index] = NULL; 2046 } 2047 tid_agg_rx->head_seq_num = 2048 seq_inc(tid_agg_rx->head_seq_num); 2049 } 2050 if (bar_req) 2051 return 1; 2052 } 2053 2054 /* now the new frame is always in the range of the reordering */ 2055 /* buffer window */ 2056 index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) 2057 % tid_agg_rx->buf_size; 2058 /* check if we already stored this frame */ 2059 if (tid_agg_rx->reorder_buf[index]) { 2060 dev_kfree_skb(skb); 2061 return 1; 2062 } 2063 2064 /* if arrived mpdu is in the right order and nothing else stored */ 2065 /* release it immediately */ 2066 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 2067 tid_agg_rx->stored_mpdu_num == 0) { 2068 tid_agg_rx->head_seq_num = 2069 seq_inc(tid_agg_rx->head_seq_num); 2070 return 0; 2071 } 2072 2073 /* put the frame in the reordering buffer */ 2074 tid_agg_rx->reorder_buf[index] = skb; 2075 tid_agg_rx->stored_mpdu_num++; 2076 /* release the buffer until next missing frame */ 2077 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) 2078 % tid_agg_rx->buf_size; 2079 while (tid_agg_rx->reorder_buf[index]) { 2080 /* release the reordered frame back to stack */ 2081 memcpy(&status, tid_agg_rx->reorder_buf[index]->cb, 2082 sizeof(status)); 2083 sband = local->hw.wiphy->bands[status.band]; 2084 rate = &sband->bitrates[status.rate_idx]; 2085 pkt_load = ieee80211_rx_load_stats(local, 2086 tid_agg_rx->reorder_buf[index], 2087 &status, rate); 2088 __ieee80211_rx_handle_packet(hw, tid_agg_rx->reorder_buf[index], 2089 &status, pkt_load, rate); 2090 tid_agg_rx->stored_mpdu_num--; 2091 tid_agg_rx->reorder_buf[index] = NULL; 2092 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 2093 index = seq_sub(tid_agg_rx->head_seq_num, 2094 tid_agg_rx->ssn) % tid_agg_rx->buf_size; 2095 } 2096 return 1; 2097 } 2098 2099 static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local, 2100 struct sk_buff *skb) 2101 { 2102 struct ieee80211_hw *hw = &local->hw; 2103 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 2104 struct sta_info *sta; 2105 struct tid_ampdu_rx *tid_agg_rx; 2106 u16 fc, sc; 2107 u16 mpdu_seq_num; 2108 u8 ret = 0, *qc; 2109 int tid; 2110 2111 sta = sta_info_get(local, hdr->addr2); 2112 if (!sta) 2113 return ret; 2114 2115 fc = le16_to_cpu(hdr->frame_control); 2116 2117 /* filter the QoS data rx stream according to 2118 * STA/TID and check if this STA/TID is on aggregation */ 2119 if (!WLAN_FC_IS_QOS_DATA(fc)) 2120 goto end_reorder; 2121 2122 qc = skb->data + ieee80211_get_hdrlen(fc) - QOS_CONTROL_LEN; 2123 tid = qc[0] & QOS_CONTROL_TID_MASK; 2124 2125 if (sta->ampdu_mlme.tid_state_rx[tid] != HT_AGG_STATE_OPERATIONAL) 2126 goto end_reorder; 2127 2128 tid_agg_rx = sta->ampdu_mlme.tid_rx[tid]; 2129 2130 /* null data frames are excluded */ 2131 if (unlikely(fc & IEEE80211_STYPE_NULLFUNC)) 2132 goto end_reorder; 2133 2134 /* new un-ordered ampdu frame - process it */ 2135 2136 /* reset session timer */ 2137 if (tid_agg_rx->timeout) { 2138 unsigned long expires = 2139 jiffies + (tid_agg_rx->timeout / 1000) * HZ; 2140 mod_timer(&tid_agg_rx->session_timer, expires); 2141 } 2142 2143 /* if this mpdu is fragmented - terminate rx aggregation session */ 2144 sc = le16_to_cpu(hdr->seq_ctrl); 2145 if (sc & IEEE80211_SCTL_FRAG) { 2146 ieee80211_sta_stop_rx_ba_session(sta->sdata->dev, sta->addr, 2147 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP); 2148 ret = 1; 2149 goto end_reorder; 2150 } 2151 2152 /* according to mpdu sequence number deal with reordering buffer */ 2153 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 2154 ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, 2155 mpdu_seq_num, 0); 2156 end_reorder: 2157 return ret; 2158 } 2159 2160 /* 2161 * This is the receive path handler. It is called by a low level driver when an 2162 * 802.11 MPDU is received from the hardware. 2163 */ 2164 void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb, 2165 struct ieee80211_rx_status *status) 2166 { 2167 struct ieee80211_local *local = hw_to_local(hw); 2168 u32 pkt_load; 2169 struct ieee80211_rate *rate = NULL; 2170 struct ieee80211_supported_band *sband; 2171 2172 if (status->band < 0 || 2173 status->band >= IEEE80211_NUM_BANDS) { 2174 WARN_ON(1); 2175 return; 2176 } 2177 2178 sband = local->hw.wiphy->bands[status->band]; 2179 2180 if (!sband || 2181 status->rate_idx < 0 || 2182 status->rate_idx >= sband->n_bitrates) { 2183 WARN_ON(1); 2184 return; 2185 } 2186 2187 rate = &sband->bitrates[status->rate_idx]; 2188 2189 /* 2190 * key references and virtual interfaces are protected using RCU 2191 * and this requires that we are in a read-side RCU section during 2192 * receive processing 2193 */ 2194 rcu_read_lock(); 2195 2196 /* 2197 * Frames with failed FCS/PLCP checksum are not returned, 2198 * all other frames are returned without radiotap header 2199 * if it was previously present. 2200 * Also, frames with less than 16 bytes are dropped. 2201 */ 2202 skb = ieee80211_rx_monitor(local, skb, status, rate); 2203 if (!skb) { 2204 rcu_read_unlock(); 2205 return; 2206 } 2207 2208 pkt_load = ieee80211_rx_load_stats(local, skb, status, rate); 2209 local->channel_use_raw += pkt_load; 2210 2211 if (!ieee80211_rx_reorder_ampdu(local, skb)) 2212 __ieee80211_rx_handle_packet(hw, skb, status, pkt_load, rate); 2213 2214 rcu_read_unlock(); 2215 } 2216 EXPORT_SYMBOL(__ieee80211_rx); 2217 2218 /* This is a version of the rx handler that can be called from hard irq 2219 * context. Post the skb on the queue and schedule the tasklet */ 2220 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb, 2221 struct ieee80211_rx_status *status) 2222 { 2223 struct ieee80211_local *local = hw_to_local(hw); 2224 2225 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 2226 2227 skb->dev = local->mdev; 2228 /* copy status into skb->cb for use by tasklet */ 2229 memcpy(skb->cb, status, sizeof(*status)); 2230 skb->pkt_type = IEEE80211_RX_MSG; 2231 skb_queue_tail(&local->skb_queue, skb); 2232 tasklet_schedule(&local->tasklet); 2233 } 2234 EXPORT_SYMBOL(ieee80211_rx_irqsafe); 2235